Annexe A
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2022/23
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
Pension Fund Governance
1.1 East Sussex County Council (ESCC) administers and manages the East Sussex Pension Fund (the Fund) on behalf of 132 employers. The Fund is responsible for managing assets for the long-term benefit of scheme members in accordance with statutory regulations. Whilst the Pension Committee is responsible for making arrangements for the administration and investment of the Fund, they receive advice as appropriate from the Pension Board, which is a statutory requirement to assist the Scheme Manager (ESCC) in securing compliance with all relevant pensions’ law, regulations and directions. The administration of the Pension Fund is undertaken by ESCC.
1.2 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· Governance arrangements are resilient and provide sufficient and effective oversight;
· Risk management arrangements are robust
· Communication is efficient and effective; and
· Reporting arrangements ensure that poor performance is identified and corrected.
1.3 Based on the work undertaken, we were able to provide an opinion of substantial assurance. Only one minor action for improvement was identified relating to the completion of skills evaluations for members of the Pension Board and Pension Committee. An appropriate action was agreed with management to address this.
Capital Project Management
1.4 The capital programme sets out the Council's investment plans to support its core services in the delivery of priority outcomes. It includes provision for essential school places, investments in roads and transport infrastructure, enhancing the life of existing assets and ensuring they are fit for purpose, and supporting invest to save schemes.
1.5 The agreed capital programme from 2020/21 to 2029/30 contained total planned expenditure of £586m. This was funded from a combination of formula grants (£211.6m), S106/CIL contributions (£41.8m), specific project grants (£44.8m), capital receipts (£19.0m), reserves & revenue set-aside (£40.9m) and borrowing (£227.9m).
1.6 This audit assessed the adequacy and appropriateness of the capital project management frameworks used across the Council, including the corporate project management framework, where inadequate controls could impact on the Council’s ability to deliver key services in accordance with its core offer. The review was limited to the design of the frameworks; we did not test compliance with them at this stage.
1.7 As a result of our work, we were able to provide a reasonable assurance opinion. We found that a corporate framework is in place, which covers many of the principles of good project management and is easily accessible. The corporate framework is supplemented by a bespoke framework used by the IT and Digital Department (IT&D).
1.8 Whilst the frameworks used were found to have appropriate coverage, we did identify some areas where improvements could be made. These related to the need to:
· establish formal governance arrangements for maintaining the corporate framework to ensure it remains fit for purpose;
· clarify when (or if) use of the framework should be mandatory and to establish criteria to define where the use of other frameworks is appropriate;
· establish a mechanism to identify the complexity of projects to ensure that proportionate resources are allocated to project management;
· strengthen guidelines to provide further clarity over the responsibilities for project roles and clients, including those for consultants used in projects; and
· document both gross and net project risks to provide a more effective risk management process and improve the likelihood that projects deliver the required outcomes.
1.9 A formal action plan was agreed with management to address these findings.
1.10 Whilst the use of the corporate framework may not be mandatory, we shall continue to review individual high-profile projects where their success is essential to the running of Council services.
Procurement Data Analytics
1.11 The purpose of this audit was to obtain assurance that, where suppliers have been paid more
than £25,000 (a key threshold within Procurement and Contract Standing Orders – PCSOs), during a twelve-month period, PCSOs have been complied with and value for money (VFM) has been demonstrated.
1.12 For this exercise, we used data analytics techniques to review the creditors data from SAP (the Council’s ERP system), matching purchase orders (POs) to records on the Corporate Contracts Register and reports on waivers (where approval may have been given to not comply with PCSOs in exceptional circumstances). Where it appeared that contracts were not in place or on the Corporate Contracts Register, this would indicate potential non-compliance with the Councils PCSOs.
1.13 In completing this work, we identified that there are omissions in the data held on the Council’s Contracts Register associated with a number of creditors. As the Contracts Register is also the primary basis for information published on the Council website under the Local Transparency Code 2015, the obligation for transparency, as detailed in the Public Contract Regulations 2015 and the Council’s
PCSOs, is not being met. We were, therefore, only able to provide a partial assurance opinion. Our findings included:
· 59 creditors where at least one PO with a spend between £25,000 and £189,300 had been raised during the twelve-month period reviewed, but there was no corresponding contract or waiver in place. It should be noted, however, that our work in relation to these instances was limited to a high-level analysis and no further in-depth review was completed at the time of the audit. Consequently, there may be some instances where a contract was not required, due to exemptions.
1.14 In consulting on the findings of our review with the Procurement Team, a number of improvement actions were agreed to address these as part of a formal management action plan, to help ensure, wherever possible, compliance with the Council’s PCSOs, the Local Government Transparency Code and Public Contracts Regulations 2015. These actions included:
· Implementing appropriate mechanisms to be able to forecast spend that may exceed PCSO and other thresholds, to assist in ensuring compliance with these;
· Ensuring that where contracts are known to be in place, these are recorded within the Council’s Contract Register and/or published on the Council’s website under the Local Transparency Code;
· Enabling the Procurement Team to have access to financial information in order to be able to actively monitor forecast spend against creditors;
· Monitoring of purchase order information to contracts, to flag or report where purchase orders above thresholds have no contract in place.
1.15 The upcoming implementation of the Council’s new ERP system (Oracle) should present an opportunity to implement more robust controls in this area. Given the partial assurance opinion, we will complete a follow-up review as part of the 2022/23 internal audit plan once the new system has been implemented and had time to embed.
Building Security Follow-Up
1.16 An audit of Building Security was completed in 2021/22, following a number of incidents involving thefts from Council buildings, and this received an audit opinion of partial assurance. As part of our planned work for 2022/23, we completed a follow-up review to provide assurance that the actions agreed in the previous audit had been implemented.
1.17 Our work identified that all but one of the actions previously agreed had been fully implemented and we were therefore able to provide a revised opinion of reasonable assurance. The remaining action related to the need to document established procedures for identifying when holders of access cards, who are not ESCC staff (e.g., NHS staff) no longer require access. In addition, a further minor action was agreed in relation to clarifying procedures for withdrawing building access from staff who have been suspended. Both of these actions were agreed with management.
Network Access Controls
1.18 Network access management is the process by which users' network accounts and associated access is controlled, in order to maintain a secure data environment and therefore prevent unauthorised access to systems and data. Our audit was undertaken to understand the control environment for managing such access and changes across the Council, to obtain assurance that:
· Staff accounts are up-to-date and only had the correct network access permissions relevant to their job role;
· The Active Directory is regularly reconciled, and all leavers are removed;
· Users' permission changes are completed efficiently and accurately for internal movers; and
· New starters network accounts are set up correctly.
1.19 Our audit established that the expected controls were in place and operating effectively. Key findings from our review included:
· There are fully documented process maps and a Responsibility and Accountability Matrix (RACI) for each process required by the relevant departments for access management, including those conducted by the Access Management (AM) team;
· Our testing identified prompt disabling of leavers’ accounts;
· Controls are in place to ensure contractors and agency access is removed in a timely manner;
· Requests for new network accounts and amendments to accounts were robustly managed;
· Network accounts were created using a 'copy user' functionality which assisted Access Management in assigning appropriate permissions;
· General maintenance of the Active Directory was effective; and
· Controls to ensure Accounts classed as ‘privileged’, with powerful administration access to servers and systems, are well-established.
1.20 We identified one process weakness where, when accounts are created, they are not assigned a unique identifier within the Active Directory (AD) (e.g., personnel number). Whilst it is a minor risk, it could create the potential for issues when amending, deleting or creating accounts of users with the same name or similar name.
1.21 As a result of our findings, and the low-risk action agreed, we were able to give an overall opinion of reasonable assurance.
Modernising Back Office Systems (MBOS) Audit Work
1.22 The MBOS programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP. Following a procurement process, Oracle Fusion was selected as the replacement, and this is expected to go live in quarter 1 of the 2023/24 financial year.
1.23 Alongside ad-hoc advice, support and guidance provided to the Programme Board, key workstreams and key stakeholders, a programme of work to support the implementation of the system has been agreed with the Board. In the past quarter, the following work has been delivered:
MBOS - Key Control Work (Phase 1)
1.24 The primary objective of this work was to ensure that the key controls expected to be in place within the new system in order to provide an effective control framework, are included as part of the design process.
1.25 The new system will be responsible for key functions across the Council. As part of our work, we concentrated on reviewing the control environment for the following key processes, considered to be of highest importance, as agreed with the Programme Board:
· HR & Payroll (Human Capital Management);
· Accounts Payable/Supply Chain Management;
· Accounts Receivable;
· Finance; and
· Projects.
1.26 Our work, which was undertaken at an early stage in the design and build process, identified a number of areas where improvements were required, including the need to:
· improve the quality and completeness of system design documentation;
· clarify the use of ‘mandatory fields’ in order to maintain sufficient levels of data quality; and
· define and document the system audit trail requirements.
1.27 In reporting our findings, programme management have committed to ensuring that appropriate action is taken to improve the control environment and have requested continued support from Internal Audit in evaluating this as the project progresses.
MBOS Reporting Arrangements
1.28 The primary objective of this work was to ensure the reporting functionality required by all business users is available from the new system.
1.29 In completing this review, we found that key reporting requirements have been identified and there is suitable testing in place to ensure reports are fit-for-purpose. Wherever possible, standard reports produced by the system will be used to help reduce the risks associated with using and updating custom-built reports.
MBOS Data Cleansing and Migration
1.30 Data cleansing and migration are important for organisations when implementing a replacement system, as it helps to ensure the accuracy, completeness and consistency of the data from the legacy system.
1.31 The purpose of this review was to provide a view as to the adequacy of the arrangements in place to meet the following objectives:
· Data ownership/stewardship is clearly defined, including associated responsibilities;
· Appropriate steps are being taken to cleanse data prior to it being migrated into Oracle, with decisions and corresponding approval being recorded;
· Issues in relation to data mapping are being recorded and addressed in a timely manner; and
· A data standard for the system is clearly defined and controls are in place to ensure continued compliance.
1.32 We found that there is a data ownership document in place which includes well defined responsibilities. Whilst appropriate officers (Subject Matter Experts - SMEs) have knowledge of the relevant information needed for a data standard (e.g., date format, cost code structures etc), no such standard had been formally established or documented. Introduction of a data standard will help ensure data is being cleansed consistently and to a high standard across all data sets as part of the MBOS programme.
1.33 Data cleansing control arrangements are in place. Some known issues were being managed as part of the ordinary programme risk and issue management arrangements.
1.34 A position statement summarising our work in this area was presented to the Programme Board for corrective action to be incorporated into the programme plan as appropriate.
Direct Payments Follow Up
1.35 Direct Payments are payments made directly to Adult Social Care clients that allow them to choose and pay for support to meet the level of care required, following an assessment of their needs. The legal framework for Direct Payments is set out in the Care Act 2014, Section 117(2C) of the Mental Health Act 1983 and the Care and Support (Direct Payments) Regulations 2014.
1.36 All clients are offered the option of a Direct Payment at assessment and at review. Direct Payments are established through an Individual Service Agreement, which states the weekly amount paid by ESCC, and the amount that the client must contribute towards the cost of their care.
1.37 Clients have the option to manage their own Direct Payment account or may choose to have the account managed by ESCC or an external service provider.
1.38 An audit of Direct Payments was completed in 2020/21 and received an audit opinion of partial assurance. The audit contained seven actions agreed with management, including one rated as high priority. As result, we completed a follow up review to provide assurance that the actions agreed in that audit had been implemented.
1.39 Our work identified that improvements have been made to strengthen the monitoring of clients’ accounts, including where their accounts are managed by external providers. Transactions on client-managed card accounts now have more complete details recorded, further improving the Council’s ability to monitor expenditure to ensure it is appropriate. The Care Management Team is also now working more closely with the Direct Payments Team to prioritise monitoring on the basis of risk.
1.40 As a result of the improvements we identified, we were able to issue an opinion of reasonable assurance on the controls in place. Only a few outstanding actions remained and were agreed with management. These covered the need to:
· absorb the new processes for the regular review of clients’ direct payments into business as usual; and
· continue to strengthen the process for monitoring clients’ expenditure to ensure that it is appropriate.
Elective Home Education
1.41 Under Section 7 of the Education Act, 1966, parents have the right to educate their child(ren) at home. Where they do, Local Authorities have a legal duty to ensure that a suitable education is being provided and a moral and social obligation to ensure such children are safe and suitably educated, where there is a risk of harm and/or a lack of proper education.
1.42 The purpose of this audit was to provide assurance that:
· Robust processes are in place to ensure that, where concerns are raised in relation to the safeguarding of electively home educated children, these are subject to appropriate follow-up;
· Adequate controls exist to ensure that children who are being electively home educated receive an appropriate education;
· Effective processes are in place for returning children to school where elective home education is not appropriate;
· Appropriate advice and support is provided to parents and carers in relation to the risks and responsibilities surrounding elective home education; and
· There is a robust process in place to identify potentially unregistered schools and respond to these appropriately.
1.43 In completing our work, we found that robust controls were in place, and we were able to provide an opinion of substantial assurance. Only a small number of actions were agreed with management to further improve controls, including the need to ensure that the relevant safeguarding policies include reference to identifying and raising safeguarding concerns in relation to electively home educated children.
Department for Levelling Up, Housing and Communities (DLUHC) Deep Dive
1.44 Local Enterprise Partnerships (LEPs) were set up by Government in 2011 to identify and support local strategic growth priorities, encourage business investment and promote economic development. The South East Local Enterprise Partnership (SELEP) provides grants and loan funding to the Council to support the delivery of a number of projects.
1.45 Essex County Council (ECC) is the host accountable body for SELEP. The DULHC is undertaking an assurance review (deep dive) of SELEP, as part of which, a request was made, through ECC, for information supporting the grant agreements and procurement activities undertaken for projects delivered by Sea Change Sussex (SCS).
1.46 We provided additional resource and support in obtaining the evidence to support the request received. This involved the review of extensive documentation and the collation and analysis of records dating back many years. The requested work was completed, and this enabled the Council to provide the required information to ECC. No report was produced, and this work provided no opinion.
Grants Related Audit Work
Contain Outbreak Management Fund
1.47 The Local Authority Test and Trace Contain Outbreak Management Fund was a grant provided to support councils towards expenditure lawfully incurred to manage local outbreaks of COVID-19.
1.48 A return to the Department of Health and Social Care was required for this grant during the second quarter to confirm that expenditure had been incurred in accordance with the terms of the grant. Through our testing, we were able to confirm that the funding had been used in line with the grant’s conditions.
1.49 There were no findings or actions for improvement identified during our work and we were able to sign the return as correct.
Bus Service Operators Grant (BSOG)
1.50 Payments from the Department of Transport (DfT) are made to local authorities for the running of local and community bus services. BSOG intends to benefit passengers through:
· helping to keep fares down; and
· enabling operators to run services that might otherwise be unprofitable and could lead to their closure.
1.51 The grant is ring-fenced and should be used to fund the provision of supported bus services or other related transport provision. We are required to undertake sample testing across a number of routes and payments made to operators on an annual basis to ensure that payments are calculated accurately, and that the conditions attached to the grant are complied with. We were able to confirm that payments were correct, and that the Council had complied with the terms of the grant. A signed declaration was returned to the DfT within the required timescales.
Additional Dedicated Home to School Transport (Covid) Grant
1.52 The Additional Dedicated Home to School Transport (Covid) Grant was provided to the Council to support the operation of buses and taxis where social distancing requirements meant that usual services were not sufficient (e.g., where class bubble arrangements could not be catered for in a single bus or taxi).
1.53 The grant is ring-fenced and can only be used to support provision of home to school transport routes where there is an impact from Covid-19. We were able to confirm that payments were correct, and that the Council had complied with the terms of the grant. A signed declaration was returned to the DfE.
Local Transport Capital Block Funding (Integrated Transport and Highway Maintenance Blocks) Grant, Including Traffic Signals
1.54 Payments from the Department of Transport (DfT) are made to local authorities in relation to highway maintenance and infrastructure, including traffic signals and pothole repair. The grant included five elements:
· Integrated Transport Block;
· Highways Maintenance Block needs element;
· Highways Maintenance Block incentive element;
· Pothole Fund after advance payment; and
· Traffic Signals Maintenance.
1.55 The grant was not ring-fenced but was to be used only for the purposes that a capital receipt may be used for. Internal Audit was required to confirm that the conditions had been complied with. A sample of transactions were tested to confirm that they were in compliance with the funding conditions, and a signed declaration was returned to the DfT within the required timescales.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 We are currently working with services to ensure that the relevant data extracts are uploaded for the 2022 NFI data matching exercise. The matches from the exercise will be available to review from January 2023.
2.2 The team continue to also monitor intel alerts and share information with relevant services when appropriate.
Summary of Completed Investigations
Recruitment Corruption
2.3 A concern was reported that there was a potential conflict of interest in a recent recruitment exercise that had occurred in the Adult Social Care Team. The investigation concluded that no preferential treatment had taken place and the concerns were unsubstantiated.
Bank Mandate Fraud
2.4 Internal Audit conducted an investigation following notification that ESCC had been the victim of a bank mandate fraud, totalling £206,847.53. The investigation found that, whilst ESCC had robust controls in place designed to prevent this type of fraud, the officer who had processed the change in bank mandate had not followed these procedures. Following our investigation, the officer was subject to disciplinary action which resulted in the issuing of a final written warning. Further opportunities were taken to strengthen controls and to reinforce the message to ensure correct procedures are followed at all times. It should also be noted that we have previously provided (Sept 2021) fraud awareness sessions with Business Operations staff, alerting officers to the risk of mandate fraud. We plan to provide further training on this later this year.
2.5 Although the Police (and the bank) are actively investigating this matter, we understand that this could take many months, and that the likelihood of recovering the funds is low.
2.6 A concern was raised regarding an irregularity in relation to funding that was received from the Adoption Support Fund (ASF). The member of staff who was responsible for applying to the fund, tracking funding received and completing spend confirmations, had not been following the correct procedures. As a result, spend confirmations were outstanding from 2015. This led to the service having to conduct a lengthy reconciliation exercise, which identified that funding of £200,242.60 was required to be returned to the ASF. This was not a loss to the Council as it was money that had been applied for, but not spent. However, it was found that payments had been made to six therapists without the correct application and approval process being followed, resulting in an overspend of £28,361.77.
2.7 In reviewing the arrangements in relation to this, a number of control weaknesses were identified, and these were reported to the service so that improvements could be made. The staff member retired during our investigation.
Department for Work and Pensions System Security Breach
2.8 In July 2022, the Department for Works and Pensions (DWP) informed the Council of a potential security breach of their system (Searchlight). An investigation was undertaken which resulted in the system user being issued with a formal written warning. Training was provided to all system users within the team, reminding them that they should only use the system for genuine business reasons.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter, 100% of high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Rationale for Addition |
|
|
Ukraine |
Support and advice in relation to cash payments to Ukrainian guests. |
|
Broadband Grant |
Additional grant that required certification. |
|
Covid Bus Services Support Grant 22/23 |
New grant that required certification. |
|
Additional Dedicated Home to School and College Transport Grant 22/23 |
New grant that required certification. |
|
Department for Levelling Up, Housing and Communities Deep Dive |
The provision of support to CET who were compiling a response to DLUHC, which was carrying out a detailed review of expenditure made under grants that were disbursed through the Council. |
4.2 The following audit work is currently in progress or is scheduled for quarter 3:
In Progress:
· LCS/Controcc
· Children’s Data Handling
· Public Health Grant
· UK Community Renewal Fund
· Vehicle Use Follow-Up
· Contract Management
· Use of Consultants
· Climate Change
· Accounts Receivable
· IT Asset Procurement (Value for Money)
· I-Connect Application Controls (Pensions)
· Building Condition Asset Management Follow-Up
· Adult Safeguarding
· Meta Compliance IT Application Audit
· Pension Fund Cash Management
Scheduled:
· Accounts Payable
· Payroll
· Adult Social Care Reform
· MBOS Key Control Work – Phase 2
· Corporate Governance
· Health and Safety
· Waste Management
· Cyber Security
· Administration of Pension Benefit Payments
· Pension Fund Investments and Accounting
· External Funding, Grants and Loans
· Home to School Transport Follow Up
· Contract Management Group Cultural Compliance Follow-Up
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Orbis IA Performance Indicator |
Target |
RAG Score (RAG) |
Actual Performance |
|
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
The Annual Plan was and approved by the Audit Committee on 29 March 2022. |
|
Annual Audit Report and Opinion |
By end July |
G |
The Annual Report and Audit Opinion was approved by the Audit Committee on 8 July 2022. |
|
|
Customer Satisfaction Levels |
90% satisfied |
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
54.2% achieved to the end of Q2, against a Q2 target of 45%. |
|
Public Sector Internal Audit Standards |
Conforms |
G |
January 2018 – External assessment by the South-West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings. April 2022 – Updated self-assessment against the standards within the PSIAS underway and preparations for the full independent external assessment in progress. June 2022 – Internal quality review identified no major areas of non-conformance. |
|
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act
|
Conforms |
G |
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
91% |
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |